Unpatched endpoints and more: first officer's blog - week 45

Unpatched endpoints, inefficient processes and more. Here are the latest stories from the world of cyber risk over the past week.

Mike Parkin | April 03, 2023

The ongoing voyages of the Federation Support Ship USS [REDACTED] 

First Officer’s log, Terrestrial date, 20230403. Officer of the Deck reporting. 

It was only a matter of moments before the [REDACTED]’s emergency power came on automatically, assuring the ship had lights, atmosphere, and artificial gravity, though our shields remained down, and the warp drive remained offline. Unfortunately, minimal emergency power didn’t include sensors, so we had no idea what the other ship was doing. 

Reacting according to their training, the crew swung quickly into action, following emergency procedures while the captain assessed the situation and Engineering worked to restore power. With the sensors offline, we had to improvise to get any kind of situational awareness. Fortunately, someone thought to take a pair of macro-binoculars and look out an actual window, reporting their findings to the bridge. 

It was clear from quick observation that the [REDACTED] ship was moving out of the debris field under Impulse power but hadn’t beamed over a boarding party or opened fire with their, admittedly, rather impressive array of mismatched weapon systems. Whether that was because they wanted our ship intact, as they implied, or because they simply hadn’t figured out what to do next remained to be seen. However, if they tried to board, we’d have a good chance of fending them off. The crew was well trained, and the hand-phasers were quite functional, with security already distributing them and stationing themselves at strategic points. But it was obvious that if they opened fire, we’d be helpless. No shields. No weapons. No way to maneuver. 

Engineering, for their part, brought partial power back online and our communications officer managed to tie one of the portable long-range communications units into their console, giving us at least basic communications. A moment later, the captain said something quietly about getting them talking to buy us some time and had Comms open a channel. 
[REDACTED] ship, why have you attacked us?”

First voice: “We want your ship. You should give it to us.” 

Second voice: “Yes, give it to us. We want it.” 

The captain thought for a moment before answering – “[REDACTED] ship, we seem to have had a malfunction. Our ship is broken now too. You don’t want it.” 

First voice: “You will fix it. Then give it to us.” 

Second voice: “Yes, give it to us.” 

The captain looked thoughtful for a moment before Helm got his attention and he nodded to Helm before addressing the other ship. “Stand by. We’ll see what we can do.” 

Helm gave the captain a wry, almost conspiratorial, smile before nodding in the general direction of where we knew the other ship must be. “Sir, I have an idea.”  

We know  that  it happened. But what actually happened? 

What happened 

On March 27, 2023, SASE provider Lumen announced that they had been affected by two ransomware attacks discovered the week before. The attack apparently only affected a limited number of client systems. According to the report, they are working with law enforcement and regulators, informed their customers of the event, and hired an external team to mitigate the threat. 

Why it matters 

There’s not a lot of publicly available information on how these two attacks transpired, or what “newly deployed tool” identified the second attack. This isn’t really a surprise, as most organizations don’t like to reveal any more than they have to. That makes perfect sense from a ‘company secrets’ and ‘company reputation’ position, as well as a valid concern with keeping their defenses confidential and away from possible attackers. But that lack of data makes it much harder for other analysts to understand what happened, which in turn makes it harder to prepare for similar attacks.

From a risk management perspective, the more we know, the better chance we have of preparing for an attack and dealing with it when it happens. Confidentiality has its place. But so does sharing information. 

What they said 

The information that IS available has been widely covered. 

And the survey says . . . there’s still work to be done 

What happened 

A recent survey showed that as much as 20% of an organization’s endpoint devices can remain unpatched indefinitely and that 30% of surveyed organizations took over a month to detect known vulnerabilities in their environment. The survey showed that many organizations lack effective tools and processes to effectively manage vulnerabilities, and that the general shift to remote work has had an additional impact on security. 

Why it matters 

Finding the right balance between the bottom line and being secure has always been a challenge and each organization has their own point of “acceptable risk.” Managing that risk is its own challenge. Finding the right combination of process and tools to do the job, and do the job within an acceptable budget, takes finesse and as the survey shows, not everyone manages to pull it off. 

What they said 

Unsurprisingly, this has turned plenty of heads

We’ve joined the podcast game

What happened 

Our co-founder and Chief Strategy Officer, Tal Morgenstern, was a guest on two podcasts that aired last week. 

Why it matters 

It’s Tal, on a podcast. Go listen already! 

What they said 

You can check out both of Tal’s podcast appearances below:


AST Cybersecurity 


Want to get ahead of the stories?

CVE examples

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy